Blastwave

Earlier on today, the main Blastwave website got replaced by this message :

Blastwave is a registered trademark of Blastwave.org Inc. in the
United States and Canada. All assets of Blastwave.org Inc. are frozen
until further notice. All Solaris(tm) related open source software
work and services are cancelled. All websites, documents and binary
software packages that bear the mark Blastwave or Blastwave(tm) are no
longer available until further notice.

At the same time, mailing lists, shell logins and other services seem to have been shutdown and/or removed from DNS. None of this came with any warning or notification to the maintainers, and I still don't know what's going on. I can't access any of the build servers, so it's fairly safe to assume that my build scripts, packages, documentation, and everything else I've been working on for the Solaris community over the last 5 years is gone also. As if that wasn't enough, there are also reports that someone has been attempting to sabotage various mirror sites. I don't know how to take that - but frankly, right now, I don't care. I'm out. I've had it with the political fighting and drama. Many maintainers had already left following the last spat - I simply don't have the will to get involved in it any more, the damage has already been done. If anyone is still using my Blastwave packages (PostgreSQL, Nessus, PHP4, and some others) I recommend you switch to something else, like Sun's own CoolStack or OpenSolaris.

There's plenty more I could say, but at this point I think it's perhaps better to simply leave it. It's a sad day for me: seeing years of work towards something that I believed in, and helped a great many people, all go to ruin. It's even sadder for the Solaris community as a whole; this was a true grass-roots organisation - made up from like-minded Solaris users, admins, programmers and fans - who gave up countless hours of their own time to help others. I think the least we deserve is an explanation, but somehow I don't think one at this stage would make any difference anyway.

Update : People have been mailing me to say the main page is back up - true, but it's a case of "the lights are on, but no one's home". Check the thread in comp.unix.solaris.

Blastwave PHP4 packages are available in /testing. These bump PHP4 up to 4.4.3, which is primarily a bug fix and security upgrade. It also fixes an issue with the packaging of the current 4.4.2 packages, which resulted in a non-working PEAR installation due to an error in the upstream source tarball.

I hope to get these packages released to unstable in the next few days - I've been running them for a few days here and there appears to be no issues, but as always any other testing or feedback is always appreciated. Make sure you head the warning at the top of the testing page, though!

PostgreSQL 8.1.4 has just been released, and Blastwave has updated packages as usual. This is a  major update security-wise; if you're running a PostgreSQL server you really need to upgrade as soon as possible. The PostgreSQL site has a page detailing all you need to know about this particular problem, and how it may affect you. Packages will be making their way out to the mirrors shortly, and I'll also be updating my PHP packages the moment the upstream source is released.

Hot on the heels of the 8.1.2 package, 8.1.3 has been released. This fixes a serious security issue, and while it hasn't yet made it into Blastwave's "unstable" tree, you can grab it from our testing directory. Expect to see it available from our mirrors through pkg-get shortly. The PostgreSQL team had this to say in their release announcement:

PostgreSQL minor version 8.1.3 has been released, containing a patch for a serious security issue present in the 8.1 branch. All users of 8.1 are urged to upgrade at the earliest opportunity. Minor versions 8.0.7, 7.4.12, and 7.3.14 are being released at the same time. These contain only minor bug fixes to the 8.0, 7.4 and 7.3 versions and can be upgraded on a more planned schedule, unless of course you are encountering one of the bugs described. The security issue in 8.1.x allows an authenticated database user to escalate his ROLE privileges by exploiting knowledge of the backend protocol. While there are no known exploits in the wild for this, users are urged not to wait until they encounter one. 8.1.3 also contains a number of other bug fixes, most of them for very specific (rare) database configurations and schema issues, but including a number of crash fixes. Notable also is a fix to the TSearch2 GiST index generation code which will significantly speed up creation of TSearch2 indexes.

New PostgreSQL and related packages (postgresql, libpq and postgresqlcontrib) have been released to the "unstable" tree. These packages bump the version to 8.1.2, and include a number of important bug fixes. Of particular importance is the resolution of a bug present in previous versions of PostgreSQL that could lead to data loss - for more details, please see the 8.1.2 release announcment. A dump/restore is not required for those already running 8.1.x, unless you are affected by the locale or plperl issues described in the release notes.

I'm pleased to announce that PostgreSQL 8.1.0 packages are now available from Blastwave, and should be making their way out to the mirrors as I type. This set of packages includes libpq, the core postgresql package, contrib, and the updated set of JDBC drivers. Please note that there are a large number of changes with this 8.1.0 release - for details on all the new features, please see the official PostgreSQL announcement : http://www.postgresql.org/docs/whatsnew. Please also note that if you are intending to update to this version from a previous installation (either 7.3.x or 8.0.x), you will need to do a dump and reload of your database. Your old data directory will not work with the new packages, due to changes made by the PostgreSQL developers. For information on this dump and reload procedure, see the HTML documentation (also included with the package) at the following URL : http://www.postgresql.org/docs/8.1/interactive/backup.html. I recommend taking a full dump of your database and testing the backup works as expected before proceeding with this upgrade.

Finally got them off to the mirrors. And of course, life being what it is, the moment I do that, PHP 4.4.1 source is released. Hey ho... Still, the official announcement is included in the full text of this post. Expect to see 4.4.1 packages in a few days... Oh, and PostgreSQL 8.1.0 packages as soon as the final release is announced. I've been building all the betas and RCs so am ready to get new packages out there as soon as it's available. Continue reading "PHP packages finally released"

Now the Blastwave "stable" freeze is over, there's a further round of updates for my PHP4 packages which fix a few bugs and add a few new features. All available from http://www.blastwave.org/testing/ as usual. Any testing would be greatly appreciated, as I really want these to be the final release, and to to get them out to the mirrors in the next week or so. Changes in this release include the further modularisation - I have split the package into a core php4_cgi (with added FastCGI support) , the Apache modules in mod_php, and the extensions in php4_$extension. To summarise : If you only wanted the command-line interpreter, or CGI build, you'd just install php4_cgi. This includes the binaries, PEAR libraries, and various headers. It also takes care of installing a php.ini, if none exists. This is also the package you'd use if you wanted to set up a FastCGI environment, perhaps using iPlanet/SunOne/Java system webserver/whatever-sun-are-calling-it-this-month. If you wanted to install a PHP module for Apache (either 1.x or 2.x), you'd install mod_php (which is the same package name as the one people currently download, e.g. CSWphp. ). This includes a dependency on php4_cgi, so if you install this, you'll also get the PEAR libraries and "foundations" needed for PHP to function etc. If you then want to add support for a particular extension, you install php4_$extension. For instance, to add MySQL support, you'd install php4_mysql. There is also a "bundle" package, which doesn't contain any files, but does contain dependencies for php4_cgi, mod_php, apache 1.3.x, and all the extensions. This emulates the current monolithic build; for a full PHP4 installation, this is the package you'd install (pkg-get -i php4). See my previous blog entries for details on the new build approach I am using.

Packages at http://www.blastwave.org/testing/ - just an incremental upgrade this time. From the Nessus news file :

(Slight) Speed improvements : - Faster scan startup speed (at the expense of a slightly bigger memory usage). - Faster scans in general Depending on the speed of your hard drive and the OS you're running on, you may experience up to 15% speed improvement. Bug fixes : - Fixed the use of an uninitialized buffer in the shared socket code - Fixed some uninitialized variables in nessus_tcp_scanner - Fixed several null pointer dereferencements in libnasl - Several other minor bugs have been fixed (see bugs.nessus.org for details) Misc : - New NASL function 'send_capture()' - nessusd rotates nessusd.messages on startup if the file is too big - Enhanced nessus_tcp_scanner - nessus-fetch now calls nessus-update-plugins upon registration

Packages are :

libnasl-2.2.5-SunOS5.8-i386-CSW.pkg.gz libnasl-2.2.5-SunOS5.8-sparc-CSW.pkg.gz nessus-2.2.5-SunOS5.8-i386-CSW.pkg.gz nessus-2.2.5-SunOS5.8-sparc-CSW.pkg.gz nessuslib-2.2.5-SunOS5.8-i386-CSW.pkg nessuslib-2.2.5-SunOS5.8-sparc-CSW.pkg.gz nessusplugins-2.2.5-SunOS5.8-i386-CSW.pkg.gz nessusplugins-2.2.5-SunOS5.8-sparc-CSW.pkg.gz

Install nessuslib, libnasl, nessus and nessusplugins in that order. A good walkthrough is available at http://www.nessus.org/demo if you're interested in trying this package out. Note that starting the server and logging into the client for the first time can take a while, as it has to load and scan all the plugins (it's faster after it's done it once).

My new PHP packages are ready for testing at the usual place. They are taken from the new 4.4.0 release - the full release announcement is available on the PHP site. This release is primarily a bug fix over the 4.3.x series, but the ABI has changed, breaking compatibility with 3rd party PHP extensions, hence the middle digit incrementing. As with the previous 4.3.11 testing packages, these are using the new "modular" packaging approach - details of this are in my previous blog entry here. Please post any feedback or bug reports etc. - I'd like these to be really well tested before making the move out to the mirrors. As with last time, the core packages are mod_php, the extensions are all php4_xyz, and there is also a "bundle" package - php4-4.4.0-SunOS5.8-all-CSW.pkg.gz. This just contains dependencies for all packages and Apache 1, emulating the behaviour of the current package; giving the user a complete PHP installation with all extensions enabled and activated in Apache.

I have finished work on a bunch of new PHP packages - there are a lot of changes with these, so be warned that there will probably be a few tweaks needed here and there before they're ready for the prime time. However, if you're feeling brave and would like to test, I'd appreciate any comments or feedback. They are all available at the usual place, http://www.blastwave.org/testing/ . A full list of packages is included in the full body of this entry. The 2 major changes for this release are : Modular extensions The mod_php package now just includes a very minimal "core". Many extensions are now built as shared libraries and have been split off into their own packages. The reasoning behind this is that a user can just grab what they need, instead of a huge monolithic build of PHP that eats up memory with things that they very probably don't need - not to mention saving space and time by not downloading all the various dependencies that go with it. Under this new system, if you just want PHP with, say MySQL and OpenSSL support, you would install mod_php, then php4_mysql and php4_openssl. Multiple SAPIs, Apache 2 support I have removed the dependency on CSWapache from the core mod_php package. The reasoning behind this is that a user may just want the CLI or CGI executables. These are shipped as /opt/csw/bin/php and /opt/csw/bin/php-cgi respectively. There is also now an Apache 2 module shipped alongside the standard Apache 1. These have both been relocated to /opt/csw/lib/php/sapi. The postinstall script will check for the presence of CSWapache or CSWapache2, and if found, will activate itself. As long as both servers are listening on different ports, you can even run both on the same machine. The big caveat here is that if you are using Apache 2 and PHP, you should only ever use the prefork MPM. The PHP folks still seem to consider Apache 2 support as "experimental", but many Linux distros ship with it enabled and I've yet to hear bad things about it as long as prefork is used. Continue reading "First set of new PHP packages ready for testing"

A bit of a bumper update from me... several packages are now available for testing at http://www.blastwave.org/testing. Any comments welcome - providing no major glitches are uncovered, these should make their way out to the main pkg-get repository and mirrors in a week or so. They are : mod_php 4.3.11

mod_php-4.3.11-SunOS5.8-i386-CSW.pkg.gz mod_php-4.3.11-SunOS5.8-sparc-CSW.pkg.gz

This is PHP 4.3.11 for CSWapache. It is built linked against the new libpq 8.0.3, and also has had mbstring support added at the request of a user. Hopefully, this will be one of the last "monolithic" releases, and future PHP packages will be split into modules. One thing to note with this package is it appears that the HTTP and Mail PEAR libraries are no longer bundled with this release. If you are using them, you'll have to grab the latest versions from PEAR. Other changes over the previously released 4.3.10 package include FreeTDS (MSSQL and Sybase support) and UnixODBC extensions. libstatgrab 0.11.1

libstatgrab-0.11.1-SunOS5.8-i386-CSW.pkg.gz libstatgrab-0.11.1-SunOS5.8-sparc-CSW.pkg.gz

This is bumped to 0.11.1, a minor bugfix release. It is a library that provides cross platform access to statistics about the system on which it's run (CPU usage, memory utilisation, disk usage, network traffic, etc.). It also includes a couple of useful tools - "saidar", which is a tool for giving an overview of the system in a "top"-like manner, and "statgrab", which can be used in shell scripts to get statistics through a sysctl-style interface. nessus 2.2.4

libnasl-2.2.4-SunOS5.8-i386-CSW.pkg.gz libnasl-2.2.4-SunOS5.8-sparc-CSW.pkg.gz nessus-2.2.4-SunOS5.8-i386-CSW.pkg.gz nessus-2.2.4-SunOS5.8-sparc-CSW.pkg.gz nessuslib-2.2.4-SunOS5.8-i386-CSW.pkg nessuslib-2.2.4-SunOS5.8-sparc-CSW.pkg.gz nessusplugins-2.2.4-SunOS5.8-i386-CSW.pkg.gz nessusplugins-2.2.4-SunOS5.8-sparc-CSW.pkg.gz

THE open source security scanner. Install nessuslib, libnasl, nessus and nessusplugins in that order. A good walkthrough is available at http://www.nessus.org/demo if you're interested in trying this package out. Note that starting the server and logging into the client for the first time can take a while, as it has to load and scan all the plugins (it's faster after it's done it once). Update : Packages now heading out to the mirrors. Mod_php is on hold at the moment, as I'm overhauling it and looking at providing an Apache 2 SAPI as well.

Although things have been quiet on the Blastwave front recently, it hasn't been because of lack of activity. I am currently working on a set of PostgreSQL 8.0.3 packages, which resolve several bugs as well as some fairly serious security issues, the full details of which can be found here. Due to various changes "under the hood", binary compatibility has broken in this release - libpq, libecpg etc. have all had their major version numbers bumped. This means that anything that links to these libraries should be relinked as soon as possible, but I have also included the previous libraries from 8.0.1 so that existing applications won't break; you can therefore update and migrate at your convenience. The PHP package is also due an update soon. I have 4.3.11 packages ready, although I'm waiting for the PostgreSQL packages to get released first before I relink. It's just a minor update, although UnixODBC, FreeTDS and MySQLi extensions are now enabled, with mbstring due to be added Real Soon Now (tm). I have also started work on splitting PHP up into a more manageable system, with the extensions build as shared modules. In other words, you'd download the core CSWphp package with a minimal set of dependencies (CSWapache etc.), which would provide the basics. If you then needed database access, you'd install CSWphp4_mysql or CSWphp4_pgsql etc. along with their dependencies (mysql4rt or libpq respectively). This is actually working at the moment, but there needs to be a lot more testing with the module loading/unloading in php.ini before I'm happy with it. Update : The PostgreSQL packages are now available from http://www.blastwave.org/testing - note that these are "testing" packages, and should only be installed if you're interested in helping track down any bugs etc. Otherwise, it is recommended that you wait a week or so until they end up in the main pkg-get repository. Update 2 : PostgreSQL packages are out, and there's even a mention at the Blastwave homepage . PHP packages, Nessus and more coming soon...